No ip addresses on failover firewall? (Pix 6.3(5))

I have a pix firewall with an interface on a /30 network (direct link to a router) so there are only two ip addresses available - the PIX and the router. I now want to add a failover firewall and not assign an ip address to the interface on the failover firewall, just a mac address. My goal is that for this particular interface there will be only one IP address that floats between the two firewalls, instead of two addresses that get swapped between the two firewalls when failover occurs.

I can't find anything that indicates that this would not work, but would appreciate confirmation from the forum experts.

Re: No ip addresses on failover firewall? (Pix 6.3(5))

I tried it with no ip address, and got warnings on the standby firewall about a lack of an ip address. That's actually ok with me, as long as the address fails over properly. I'll have to check and see if failover works the way I anticipate.

and maybe the "hello" packets are using MAC addresses instead of IP...

Re: No ip addresses on failover firewall? (Pix 6.3(5))

No, unfortunately it will not work. The two units must have communication between each other on all the interfaces that are enable. If you don't assign the IP address to the secondary unit there's no way the units can transmit the hello packets which obviusly cause an error. Please check the document below:

Re: No ip addresses on failover firewall? (Pix 6.3(5))

I can't read your reference since I'm not a partner. I've done some testing and validated that setting the firewalls up in this way does NOT keep them from working, but I get a warning on the standby firewall about the lack of an IP address. I will have to check failover next week. While failover may not happen if the interface with only one IP fails, I'm still reasonably certain that a hardware/power failure would cause failover and that the single IP address would shift to the standby firewall in that case.

Re: No ip addresses on failover firewall? (Pix 6.3(5))

You need to have a standby IP address configured on the STDBY interface for failover to functions as documented as following are the steps involved in checking state of interface and each requires unique IP addresses on interfaces

NIC Status Test

This test is a Link Up/Down check of the NIC itself. If an interface card is not plugged into an operational network, it is considered failed.

Network Activity Test

This test is a "received network activity" test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the unit performs an ARP test.

ARP Test

In the ARP test, the ARP cache of the unit is read for the ten most recently acquired entries. Then, one at a time, the unit sends ARP requests to these machines, in an attempt to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the unit performs the Ping test.

Ping Test

In order to perform the Ping test, the unit sends out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the testing starts over again with the ARP test.

Re: No ip addresses on failover firewall? (Pix 6.3(5))

Well, in reality, it works just fine. The one pair of interfaces that I could only assign one address two came up, and failover occurs when the link goes down on the active firewall, or if the primary firewall is reset.

I may not have been quite clear with my first question, these firewalls have three nets plus the status link, and only one of the nets has no failover ip. Here's the SHOW FAILOVER command:

show failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 5 seconds

Last Failover at: 06:59:05 EST Mon Feb 27 2006

This host: Primary - Active

Active time: 480 (sec)

Interface sdclan (10.164.4.1): Normal

Interface tcs (10.164.2.30): Normal

Interface dohrcpo (10.75.29.82): Normal (Waiting)

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface fwstate (192.168.99.1): Normal

Other host: Secondary - Standby

Active time: 0 (sec)

Interface sdclan (10.164.4.2): Normal

Interface tcs (10.164.2.29): Normal

Interface dohrcpo (0.0.0.0): Normal (Waiting)

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface fwstate (192.168.99.2): Normal

So the DOHRCPO link only has one address floating between the two firewalls, but it works fine. I do get a warning message that there's no ip address assigned, but I can live with that.

Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...
view more